FCA Proportionality: Why Scaling Fintechs and Mid-Sized Firms Break Under Enterprise Frameworks

In July 2025, the Financial Conduct Authority (FCA) handed Monzo a financial penalty of £21,091,300. A few months prior, Starling Bank was hit with a £28,959,426 fine. These were not the results of amateur founders ignoring the rules. These were mature, high-growth entities that had allegedly built frameworks designed to appease regulators. The failure did not stem from a lack of compliance intent; it stemmed from a catastrophic fracture where linear compliance capabilities were pulverized by exponential customer growth.

This phenomenon creates what is known as "control debt." Much like technical debt in software development, control debt is the accumulating gap between a firm’s risk exposure and its risk management capability. When a firm scales from 600,000 to 5.8 million customers in two years—as was the case in the Monzo post-mortem—the product engine scales exponentially while the compliance engine often struggles to scale linearly. For the Head of Compliance at a mid-sized investment firm or a scaling fintech, the message is clear: growth without proportional control is not a success; it is a deferred regulatory cost.

The "Control Debt" Trap in Scaling Firms

Control debt compounds silently. In the case of Monzo, the bank removed address verification from its identity-checking flow to reduce friction during sign-ups. This led to a scenario where applicants successfully registered accounts using landmark addresses like 10 Downing Street and Buckingham Palace. By prioritizing the user journey over the Anti-Money Laundering (AML) framework, the firm created a systemic weakness that was eventually exploited.

The most damning evidence of control debt is the inability to respond to regulatory intervention. Between August 2020 and June 2022, Monzo opened accounts for over 34,000 high-risk customers in direct violation of an FCA order to stop. This was not a deliberate act of defiance; it was a systems failure. The bank simply did not have the operational infrastructure to implement a hard stop on specific customer cohorts while its growth engine remained in high gear.

Starling Bank faced a similar reckoning. After exponential growth between 2016 and 2023, where its customer base hit 3.6 million, the FCA identified serious concerns regarding its AML and financial sanctions framework. Starling voluntarily accepted a Requirement (VREQ) to stop opening accounts for high-risk customers. Yet, they failed to implement the sub-requirements of that VREQ, resulting in 54,359 accounts being opened for high-risk individuals. These failures demonstrate that the larger a firm gets, the more vulnerable it becomes to its own legacy processes.

The Myth of the "Enterprise" Framework

Many mid-sized firms regulated by the FCA attempt to solve these scaling issues by adopting "enterprise" compliance models used by Tier-1 global banks. This is a strategic error. A mid-sized investment firm with £50M in revenue does not have the same risk profile, resource pool, or operational complexity as an institution like Goldman Sachs. Adopting an off-the-shelf, over-engineered framework often leads to "performative compliance" where teams spend more time filling out spreadsheets than identifying actual risks.

These enterprise frameworks are frequently too rigid for the agile nature of scaling firms. They create internal resistance, as the day-to-day compliance demands become so burdensome that the team becomes stretched thin. When the framework is disconnected from the actual business model, red flags are missed, and audit fatigue sets in. The goal is not to have the most complex manual in the industry; it is to have a framework that is executable.

At Compliance Consultant, we often see firms struggling because they believe proportionality means "doing less." In reality, proportionality means "doing what is effective for your specific scale." A framework that looks impressive on paper but fails in execution is a liability, not an asset. It provides a false sense of security while control debt continues to accrue in the background.

Understanding the FCA’s "Proportionality" Principle

The FCA's Threshold Conditions and the Consumer Duty are built on the concept of reasonableness. As outlined in the FCA Consumer Duty and the Fintech Product Lifecycle guide, the regulator expects firms to deliver good outcomes based on an objective test. Proportionality allows a firm’s approach to match the nature of its services, the characteristics of its customers, and the size of its resources.

However, the FCA has been explicit: proportionality does not equal minimalism. It means fit-for-purpose governance and evidence that are scaled to risk. For a mid-sized firm, this means you must still demonstrate reasoned, documented choices. If you choose not to implement a specific automated monitoring tool, you must be able to prove that your manual alternative is robust enough to handle your current and projected volumes.

This is particularly critical when navigating the supervisory maturity curve. As a firm grows, the regulator's focus shifts from innovation to resilience. Early-stage firms might get away with more manual oversight, but as you approach systemic relevance, the FCA expects those controls to be institutionalized. The transition from "startup" to "scale-up" is the most dangerous period for regulatory risk because it is where the supervisor's expectations often leapfrog the firm's actual capabilities.

Designing a Right-Sized Compliance Monitoring Programme (CMP)

To bridge the gap between growth and control, firms must move away from static manuals toward a dynamic Compliance Monitoring Programme (CMP). The first step in this process is a benchmark audit. You cannot fix what you have not measured. A benchmark review assesses your current systems and controls against the latest regulations and best practices, identifying exactly where your control debt is highest.

Once a baseline is established, the focus should shift to realistic risk registers and heat mapping. Many firms have risk registers that are thousands of lines long and completely unreadable. A functional register should highlight the most material risks to the business and be updated through regular horizon scanning. This ensures that the internal team isn't overwhelmed by admin but is instead focused on the high-impact areas that could trigger a Section 166 review.

Integrating tools like a Compliance Monitoring Programme Builder allows for the automation of routine checks, freeing up the Head of Compliance to focus on strategic oversight. This is where the methodology of "engage, execute, embed" becomes vital. You engage with the risks, execute the necessary controls, and then embed them into the culture of the firm so they aren't dependent on a single individual.

What Most People Get Wrong

A common mistake among scaling firms is relying on legal advice for operational compliance problems. While solicitors are essential for interpreting the law, they are rarely equipped to build an operational framework. As we discuss in Your Solicitor Can't Save You From the FCA, there is a significant difference between knowing what the rule says and knowing how to implement a transaction monitoring system that won't crash when you double your user base.

Another frequent error is attempting to solve compliance debt by simply throwing headcount at the problem. Hiring more compliance managers is expensive and often introduces a single-point-of-failure risk. In the UK, a compliance manager typically commands a base salary of £60,000, with London roles often costing 20-40% more. When you factor in NIC, pensions, and recruitment fees, the cost of scaling an internal team can easily exceed £100,000 per person per year.

In contrast, a structured retainer model provides access to a broader range of expertise without the overhead of permanent staff. For instance, our Silver and Gold retainers provide up to 16 hours of advisory support, dedicated consultants, and a 4-hour response guarantee. A comprehensive Gold retainer costs less than 17% of the cost of employing a full-time compliance manager, potentially saving firms over £84,000 per year while providing superior regulatory coverage and access to specialized toolkits for SMCR, Consumer Duty, and AML.

Ultimately, the goal for any scaling firm is to decouple business growth from compliance costs. You need to do more with less, which requires moving away from manual spreadsheets toward systemized, proportionate controls. Scaling without control is not growth; it is simply a bigger target for the regulator.

To discuss how to align your framework with the FCA's proportionality expectations, visit the Compliance Consultant website and book a 30-minute discovery call. We can help you navigate a benchmark audit and identify the right retainer tier to support your firm's growth safely.